Unusual malware symptoms choke email & Excel

I believe I have malware on my PC (XP SP2).
I am looking for ideas to clean it.

I observe the following:

Problem behavior:
1.
I run Avast (4.8 with automatic updates) and have received virus warnings about 5 times in the past month.

I have run 10 boot time scans with Avast. My warning.log file identifies three issues:
7/4/2009 8:58:55 AM 1246723135 SYSTEM 1532 Sign of “JS:Pdfka-JV [Expl]” has been found in “hXXp://bafstone.com/img/pfqe.php{gzip}” file.
7/25/2009 12:14:15 PM 1248549255 SYSTEM 1524 Sign of “Win32:Bifrose-EGW [Trj]” has been found in “C:\WINDOWS\Installer\aca27.msp” file.
7/27/2009 11:53:43 PM 1248764023 SYSTEM 1384 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.

I see a file with the Bifrose Trojan in my Avast Chest.

A couple boot time scans with Avast revealed warning messages with approximately 10 various .zip files and archive files.
After boot time, most of the files were typically missing when I hunted for them with Windows Explorer, except one file, <>, which I had downloaded from http://wXw.gutenberg.org/ on April 11, 2009.
I deleted the <> file. (I now realize I should have preserved it – perhaps I could have found some way to move it to the Avast chest?) This file is no longer on the Gutenberg website. When I unzipped this file, it was a Microsoft Help file format, (CHM, I think) and when I went to a help page with an extensive list of commands, the MS Help application seemed to freeze. (I was unable to use Avast to discover malware in this file at Windows run time – I saw warnings only during pre-boot scans. Is there a way to use Avast to generate warnings for these .zip and archive files during Windows post-boot operation?)
I no longer have the Avast warning messages, but given my repeated experience last week, could probably recreate them with a boot-time scan.

MAIN SYMPTOM:
When I attempt to use my Yahoo email account via Firefox, I notice slower response times (ranging from 2 times to 10 to 100 times slower). Yahoo gives me error messages sometimes that I might have malware or an ISP performance problem.

MAIN SYMPTOM:
When I attempt to run Microsoft Excel, it fails to run. Instead, a dialog box says that it is trying to install. Eventually the install fails. I get an error message: “Problem with Shortcut” “This patch package could not be opened. Verify that the patch package exists and that you can access it. Or contact the application vendor to verify that it is a valid Windows Installer patch package.”
I notice that the shortcut file is dated July 2009. This doesn’t make sense to me since I installed Excel years ago. I notice that actual application file itself has a recent date also (EXCEL.EXE, 5/5/2009). This is also confusing to me.

POSSIBLE RELATED ISSUE:
I notice MS Word has similar confusing dates – like MS Excel – though it appears to work.

POSSIBLE RELATED ISSUE:
I have problems with MS Outlook – it crashes when I open old emails.
For a while, it also seemed to have problems with trying to reinstall – though that issue has now disappeared.

I ran Spybot Search and Destroy last week, but this did not seem to resolve the issue.

Can you please suggest possible solutions to fix this situation?

Thank you much!

try malwarebytes’ anti-malware (mbam) …

Dear Experts,

By the way, here are additional symptoms:

In my Avast chest, I also have the following three files, transferred 6/18/2009:
c:\WINDOWS\system32\kernel32.dll
c:\WINDOWS\system32\winsock.dll
c:\WINDOWS\system32\wsock32.dll

I’m not sure how to interpret this – or if I need to act on this information.

  • An uncertain PC User

my avast also detected those files some 3 years ago as infected… I put them in the chest n forgot about them… what do they do exactly?
edit: n I re-scanned them right now n got “no virus”

@ forest53
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

The alert with the internet URL is blocked from getting on your system by the web shield.

The Win32:Bifrose-EGW [Trj] is now safely in the chest where it can do no harm. However at the time this was detected there was I believe a false positive detection on these files with an .msp file type, right click on this file in the chest (Infected Files section) and scan it again. If it is no longer detected you can Restore it (right click and select restore).

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

If you can give some examples of those file names, the locations and reason given why it can’t be scanned might help us further ?

I really do wish Alwil would get rid of this All Chest Files collation of the three sections:

  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.- The User Files section is where the user can add files they suspect of being malware but not detected by avast.- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).- The All Chest Files is a collation of the three sections.

so this is only a sort of backup for the crucial files of the system?

Yes, and avast didn’t detect them as you surmised earlier and why nothing was detected when you scanned them, they are copied in case the original becomes infected.

Thanks, Black3agl3. I downloaded Malwarebyte’s Anti-Malware and am running a scan.
Thanks DavidR. I now understand the backup files in the Avast Chest.
DavidR, I plan to rerun the pre-boot Avast scan and pencil down the warning messages on the archive files, and post them. I probably will not have time to do this till tomorrow.

Yahoo error message
By the way, here is the error message I get from Yahoo as a result of this problem (when I try to send an email via Yahoo, while using Firefox.)

“Sorry, Unable to process request at this time – error 999.
Yahoo!”

“Unfortunately we are unable to process your request at this time. This error is usually temporary. Please try again later.”

"If you continue to experience this error, it may be caused by one of the following:

* You may want to scan your system for spyware and viruses, as they may interfere with your ability to connect to Yahoo!. For detailed information on spyware and virus protection, please visit the Yahoo! Security Center.
* This problem may be due to unusual network activity coming from your Internet Service Provider. We recommend that you report this problem to them. "

Thanks DavidR:

Following your directions below – I determined the virus no longer detected – so restored the file.

“The Win32:Bifrose-EGW [Trj] is now safely in the chest where it can do no harm. However at the time this was detected there was I believe a false positive detection on these files with an .msp file type, right click on this file in the chest (Infected Files section) and scan it again. If it is no longer detected you can Restore it (right click and select restore).”

  • Forest53

You’re welcome.

Unfortunately I don’t use Yahoo so I’m not a lot of practical help on this, http://www.google.com/search?q=error+999.

If you have restored the aca27.msp file (bifrose) and it is back in the original location, you can delete the copy that is still in the Infected Files section of the chest.

You’re using Windows SP2 that has several security vulnerablilities and Windows SP3 has been available for over a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.

Go to Control Center then Security Center then set it to Automatic Updates (Recommended) or at least Notify me about updates but do not download nor install them.

Run Secunia Online Software Inspector to see what other applications have vulnerabilities:
http://secunia.com/vulnerability_scanning/online